Share

New Multiplatform Backdoor Jacksbot Discovered

Upon further analysis, it's been determined that this trojan is the Java RAT (aka jRAT) created by the hacker/programmer redpois0n.

____

A new Java backdoor trojan called Java/Jacksbot.A has been discovered that has partial multiplatform support. It is fully functional on Windows, and partially functional on OS X and Linux. This trojan is currently considered low risk as it is not known to have infected users, and it does not run without root permissions. Jacksbot has the usual backdoor functionality, including the following capabilities:

gathering system information

taking screenshots

performing denial of service attacks

deleting files

stealing passwords (including specifically Minecraft passwords)

visiting remote URLs, likely to perform Clickfraud

This code is looking for Minecraft passwords.

It appears likely that this trojan is intended to be dropped by another component that has not yet been identified. The present component will exit with an error message if the Java archive is not run with root permissions. There is also no functionality to trick the user into running the file. We will post additional information about the threat as more is discovered.

Intego VirusBarrier users with up-to-date virus definitions are protected from this threat, which is detected as Java/Jacksbot.A.

– The author is not the person who infects anyone, nor does he control any infected machines.

LysaMyers

Thanks to you folks that have clarified about the identity of redpois0n. The update has been changed to reflect that this is one person, not a group, and that he also refers to it as jRAT. We’ve not made any statements about who is using this, or whether this has affected anyone’s system. The sample we received, as we noted, did not include a dropper and was likely incomplete. If you would like more information about our naming conventions, you can see our blog post on the subject: http://www.intego.com/mac-security-blog/how-does-malware-naming-work/